httpd: Filter-out private-but-pinned repos — heartwood

They should only be visible to localhost.

                 Visibility::Public => true,
             })
             .collect::<Vec<_>>(),
         ProjectQuery::Pinned => storage.repositories_by_id(pinned.repositories.iter())?,
         ProjectQuery::Pinned => storage
             .repositories_by_id(pinned.repositories.iter())?
             .into_iter()
             .filter(|repo| match &repo.doc.visibility {
                 Visibility::Private { .. } => addr.ip().is_loopback(),
                 Visibility::Public => true,
             })
             .collect::<Vec<_>>(),
     };
     projects.sort_by_key(|p| p.rid);